CVE-2026-0620

Published: Feb 3, 2026Modified: Feb 4, 2026

6.0

Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: f23511db-6c3e-4e32-a477-6aa17d310630 (Secondary)

Description

When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality.

Related CWEs

CWE-693

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (3)

https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware

Source: f23511db-6c3e-4e32-a477-6aa17d310630

https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware

Source: f23511db-6c3e-4e32-a477-6aa17d310630

https://www.tp-link.com/us/support/faq/4942/

Source: f23511db-6c3e-4e32-a477-6aa17d310630

Timeline

No history available yet.